We recommend using Visual Studio 2017



The latest version of this topic can be found at __security_init_cookie.

Initializes the global security cookie.

void __security_init_cookie(void);  

The global security cookie is used for buffer overrun protection in code compiled with /GS (Buffer Security Check) and in code that uses exception handling. On entry to an overrun-protected function, the cookie is put on the stack, and on exit, the value on the stack is compared with the global cookie. Any difference between them indicates that a buffer overrun has occurred and causes immediate termination of the program.

Normally, __security_init_cookie is called by the CRT when it is initialized. If you bypass CRT initialization—for example, if you use /ENTRY to specify an entry-point—then you must call __security_init_cookie yourself. If __security_init_cookie is not called, the global security cookie is set to a default value and buffer overrun protection is compromised. Because an attacker can exploit this default cookie value to defeat the buffer overrun checks, we recommend that you always call __security_init_cookie when you define your own entry point.

The call to __security_init_cookie must be made before any overrun-protected function is entered; otherwise a spurious buffer overrun will be detected. For more information, see C Runtime Error R6035.

See the examples in C Runtime Error R6035.

RoutineRequired header

__security_init_cookie is a Microsoft extension to the standard C Runtime Library. For compatibility information, see Compatibility.

Not applicable. This function should only be called from native code, not managed code.

Compiler Security Checks In Depth